Islamic Republic of Iran October 2017

Chief of State: Supreme Leader Ali Hoseini-Khamenei Government: Theocratic Republic Capital: Tehran National Holiday: 1st April1 GDP by sector: Agriculture (9.1%), Industry (39.9%), Services (51%) Export Partners: China (22.4%), India (8.7%), Turkey (8.5%), Japan (4.5%) Import Partners: UAE (39.5%), China (22.3%), South Korea (4.7%), Turkey (4.6%) Top Exports: Petroleum (80%), Chemical and petrochemicals, fruit and nuts, carpets, cement, ore2 Conflict areas: Syria, Iraq, Yemen, Israeli occupation of Palestine, US interference, Saudi Arabian influence Major Religions: Muslim (99.4%) — Shia (90 – 95%), Sunni (5 – 10%), other (Zoroastrian, Jewish and Christian)3

Current Landscape International Relations part they have an abundance of conventional missiles6. However, the goal to become a nuclear power is in Iran’s foreign policy with its neighbours and globally alignment with its regional ambitions to have better US is entrenched in a number of issues. One that it is deterrence and more regional political leverage. The dominated by the petrochemical industry, nuclear Joint Comprehensive Plan of Action (JCPOA), set forth enrichment, an ideological framework, regional turmoil requirements for Iran to halt its uranium enrichment, and relative isolation4. Since the fall of the Soviet and make efforts to alter regional activities, including Union and the increased presence of US troops in the supporting proxy groups and terrorist organisations, for region, it has had to handle perceived existential threat some sanctions relief. The US Trump administration has from the US and its allies and a unique set of regional adopted an oppositional outlook towards Tehran once influences5. Overall Iran experiences cordial relations again however, as evidenced by changing their position with South Caucasus and Central Asia, underpinned on the JCPOA. by a pragmatic outlook that does not want to upset Moscow or Beijing. It sees Armenia as its “gateway to Internal security posture Europe” and Turkmenistan as its “gateway to Central Asia”. Iran prioritises relations from the Persian Gulf Securing control of its internal political space is a top and Levant alongside Turkey. It sees Israel and Saudi priority for the Iranian regime. The ability to cause soci- Arabia as threats to its existence and its future as the etal discontent through online communication channels, dominant regional power. Iran’s nuclear ambitions have and generate conflict was felt keenly by the Middle East been the cause for ongoing international sanctions in the aftermath of the Arab Spring in 2011. Since then, against its financial, petrochemical, transportation and Iran has invested in internal internet governance and shipping sectors. Reports surrounding their enrichment pursued a hard-line stance against perceived dissident program suggest the country is a long way off equipping or anti-revolutionary activity. The Islamic Revolutionary missiles with nuclear warheads and that for the most Guard Corps (IRGC) website details some of the country’s

1. A public holiday celebrating the establishment of the Islamic Republic in 1979 2. https://www.cia.gov/library/publications/the-world-factbook/geos/ir.html 6. https://www.cia.gov/library/publications/the-world-factbook/geos/ir.html 4. https://csis-prod.s3.amazonaws.com/s3fs-public/publication/170421_Farhi_Iranian_Power_Projection.pdf 5. https://csis-prod.s3.amazonaws.com/s3fs-public/publication/160420_Milani_IranReconnectingEurasia_Web.pdf 6. https://csis-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/publication/141218_Cordesman_IranRocketMissileForces_Web.pdf

1 © 2017 Anomali, Inc. All rights reserved. strategy in this area, and justifies its goals as helping to all voiced opposition to Trump’s unilateral stance. During define parameters for “acceptable culture”7. The pur- 2016 the economy experienced a notable recovery. suit of internal control has led to the implementation of the National Information Network (NIN). This is based National Cyber-Strategy on ideas to monitor internet usage, and block subver- Iran’s attention was drawn to the development of its sive content, not unlike SORM of Russia and the “Great own offensive and defensive cyber capability after being Chinese Firewall”. The data captured by this national attacked by the Stuxnet virus, followed by Duqu and intranet can be accessed by the country’s intelligence Flame. The government pledged $1 billion investment and law enforcement agencies8. Freedom of expression in 201113, creating the Supreme Council of Cyberspace is regularly reported as being restricted as well. Iranian (SCC), Cyber Headquarters (under the Armed Forces legislation makes many non-violent crimes punishable General Staff), Cyber Command, the Basij cyberspace by death. Many ordinary users of social media have been council, Cyber Police FETA and began recruiting talent brought to the IRGC or arrested for making comments into the industry. ICT ministries cooperated with the on controversial issues (such as fashion)9. In 2016 Iran AFGS Cyber Headquarters to monitor vulnerabilities carried out the largest mass executions in years. Despite and threats to infrastructure. The SCC works with the being considered a moderate, President Rouhani has National Center of Cyberspace under the direction of been accused of not doing enough to counter the more President Hassan Rouhani and Secretary Abolhassan hard-line actions of the judiciary or the IRGC10. Firouzabadi, coordinating and implementing cyberspace 14 Economy policy in Iran . The MAHER/ Iran National CERT is responsible for incident response15. Since Stuxnet, Iran Iran is the second largest economy (after Saudi Arabia) has matured into one of the more advanced actors in the Middle East and North African region (MENA), globally, not afraid of being offensively oriented. and has the second largest population after Egypt11. The country relies heavily on oil revenues. Rigorous implementation of sanctions over the last several years have Iranian Intelligence and Cyber been hard hitting on the economy. Between 2011 and Services 2014 the currency took a nosedive as the Rial lost 80% of The fast development of Iran’s cyber capability has meant its value against the dollar12. Iran has the second largest that a number of organisations have been either created proven natural gas deposits globally, and could counter or have developed their own subdivisions to carry out the impact of sanctions on oil, but it requires foreign activity. The Supreme National Security Council under investment. Due to the sanctions, many countries and the auspices of the Supreme Leader Khamenei, seems companies have shied away from investing in Iran’s gas to oversee all of the different intelligence services. The deposits. Despite some gains under previous sanc- most prominent intelligence service seems to be the tions in the international community’s eyes, present US Ministry of Intelligence and Security (MOIS), which works leadership does not seem to articulate a very promising in conduit with the Islamic Revolutionary Guard Corp’s outlook. However, Europe, Russia, China and India have (IRGC) Quds-Force and intelligence unit. Supreme National Security Council (SNSC) Head: Supreme Leader Ali Hoseini-Khamenei President: President Hassan Fereydoon Rouhani Areas of Concern: To “watch over the Islamic revolution and safeguard the Islamic Republic of Iran’s national interests”. To “coordinate political, intelligence, social, cultural, and economic activities”16

7. https://www.aei.org/publication/iran-comprehensive-legal-system-for-internet-and-cyberspace/ 8. https://www.iranhumanrights.org/2016/10/ten-things-you-should-know-about-irans-national-internet-project/ 9. https://www.hrw.org/world-report/2017/country-chapters/iran 10. https://freedomhouse.org/report/freedom-world/2017/iran 11. http://www.worldbank.org/en/country/iran/overview 12. https://csis-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/publication/140122_Cordesman_IranSanctions_Web.pdf 13. https://www.files.ethz.ch/isn/154842/No375_15OCT2012.pdf 14. http://techrasa.com/2017/08/27/all-you-need-know-about-internet-censorship-iran/ 15. https://www.files.ethz.ch/isn/154842/No375_15OCT2012.pdf 16. http://www.iranonline.com/iran/iran-info/government/Supreme-National-Security-Council.html

Minister: Seyyed Mahmoud Alavi17 Headquarters: Mehran, Tehran, Tehran Province, Iran Type of Service: Domestic intelligence service Areas of Concern: Intelligence collection and analysis, counter-intelligence, disinformation, works with Quds-Force, to identify antirevolutionary forces, provides resources to proxy-groups (Hamas, Hezbollah etc.) 18 Branches: Counterintelligence Directorate, Oghab 2

Islamic Revolutionary Guard Corps (IRGC) Chief Commander: Maj. Gen. Mohammad Ali Jafari19 Areas of Concern: Defending the regime, Military operations, HUMINT, SIGINT20 Branches: Land force, Navy, Airforce, Intelligence Unit, Quds-force (special forces), Basij (has cyberspace council21)22 Associated Groups: Iran Cyber Army (ICA)23/ Iran cybersecurity division24 25 26, Ashiyane Digital Secuirty Team27 28, Hizbullah Cyber Army, Qassam Cyber Fighters, Virtual Anonymous Jihad29, APT33?30, Rocket Kitten? 31 32 Campaigns: Operation Cleaver, Shamoon, Operation Ababil, Saffron Rose, Newscaster, Diginotar, Comodo33, Operation Wilted Tulip34

Cyber Police FATA Chief: Seyyed Kamal Hadianfar Headquarters: Police Headquarter, Attar street, Vanak Sq, Tehran, Iran Type of Service: Law enforcement Areas of Concern: Monitoring online activity including social media, combating fraud, working with international partners to combat organized crime.

Passive Defensive Organization & Cyber Defense Command Commander: Brigadier General Gholam-Reza Jalali 35 Parent Organisation: General Staff of the Armed Forces36, IRGC?37

17. vaja.ir/Portal/Home 18. http://www.parstimes.com/history/mois_loc.pdf 19. http://theiranproject.com/blog/2017/10/12/trump-prompts-rouhani-administration-irgc-close-ranks/ 20. http://www.parstimes.com/history/mois_loc.pdf 21. https://english.alarabiya.net/en/News/middle-east/2016/12/05/Iran-creates-electronic-Brigades-for-cyber-war.html 22. http://www.iranwatch.org/iranian-entities/islamic-revolutionary-guard-corps-irgc 23. https://www.mojahedin.org/newsen/45167/Opposition-Group-Iran%E2%80%99s-%E2%80%98Cyber-Army%E2%80%99-Falls-Under- the-Command-of-the-IRGC 24. http://cyberarmy.blogfa.com/ 25. https://english.alarabiya.net/en/News/middle-east/2016/12/05/Iran-creates-electronic-Brigades-for-cyber-war.html 26. http://sayberi174.ir/ 27. https://www.memri.org/reports/irans-cyber-war-hackers-service-regime-irgc-claims-iran-can-hack-enemys-advanced-weapons 28. ashiyane.ir 29. http://info.bayshorenetworks.com/hubfs/assets/press-releases/IDR_nov52013.pdf?t=1498223049158 30. https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html 31. https://www.checkpoint.com/press/2015/new-details-rocket-kitten/ 32. https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

3 © 2017 Anomali, Inc. All rights reserved. Activity Overview the destructive Shamoon virus targeted Saudi Aramco (Saudi Arabia’s state-owned oil company). Saudi is a The Islamic Republic’s revolutionary foundations have competing regional power led by a Sunni government helped to orient its offensive activities (both standard that Iran is in direct confrontation with. This manifests and cyber) in an asymmetric fashion. This is because in the surrounding conflicts and in the energy industry. of the unique regional influences it has to contend They also share a long-term, overarching historic notion with, including a number of global powers exercising of religious superiority that is in direct conflict (Sunni direct and indirect power over its affairs. Because of vs Shia). This ideological conflict is entrenched and is the early trauma of the Stuxnet virus, Iran has been unlikely to be resolved. able to experience first-hand the impact of such a campaign. With investment, a sophisticated offensive Future Concerns cyber capability could grant Iran the leverage it craves as a US deterrent and regional power. Therefore, it is not Saudi Arabia surprising that Iran capitalized on the attack and has The relationship between Riyadh and Tehran has been since aggressively pursued its own capability. They are tenuous and complex at best. The two regional powers already more mature than most of the Gulf Cooperation are usually discussed in context of their ideologically Council states (GCC). opposed religious affiliation, Saudi Arabia has majority Sunni population whilst Iran is Shia. The conflict between One of the major worries from the international the two countries was deepened more recently by a community, voiced in the implementation of sanctions harsh anti-Iranian resolution issued at the UN in 2016, over the years, has been Tehran’s support of proxy- and the execution of a prominent Shia cleric Sheikh groups. Some of these groups, labelled as terrorist Nimr al-Nimr42. When Iran was given the opportunity to organisations, operate in regional conflict hotspots such start participating in the international economic system as Palestine, Yemen and Syria. Iran provides training again, Saudi Arabia viewed this with alarm43. Given the and resources to groups such as Lebanese Hezbollah, pragmatic approach Iran has displayed towards meeting Badr Corps, Kata’ib Hezbollah and Asa’ib ahl al-Haq38. In its requirements in the JCPOA, some would suggest that a similar fashion (and not unlike other global powers), Iran is not going to be provocative and offensive. Saudi is the Islamic Republic has been using hacktivist groups better financed militarily and better equipped. However, to support its endeavours and further their own aims. in the long-term, Iran sees itself as progressing and There has even been reports that Iran may has been only becoming more influential whilst Saudi Arabia funding the Syrian Electronic Army (SEA)39 40. Its overt has to contend with maintaining an edge. Iran is likely support for Hezbollah, Houthis and Hamas are paralleled to continue to use indirect means to undermine Saudi in accusations that Iran is helping to form cyber units for Arabia, using proxy-groups and disinformation. proxy groups as well. Parallels can be drawn between those countries that The United States Iran perceives as a priority threat to the security of The United States has already been the at the receiving the republic, and attributed cyber campaigns. This is end of some of Iran’s offensive activity. The US is re- evidenced by US indictment of several Iranian individuals sponsible for the implementation of harsh international believed to be associated with the IRGC. The indictment sanctions that have demonstrably impacted the Iranian is in response to denial of service attacks against US economy. The JCPOA, agreed upon by moderate Pres- 41 financial entities between 2011 and 2013 . In 2012, ident Hassan Rouhani with the P5+1, provided some

33. https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf 34. http://www.clearskysec.com/tulip/ 35. http://www.iranwatch.org/iranian-entities/passive-defense-organization 36. https://www.files.ethz.ch/isn/154842/No375_15OCT2012.pdf 37. https://phoenixts.com/blog/the-iranian-cyber-threat-part-1-irans-total-cyber-structure/ 38. https://csis-prod.s3.amazonaws.com/s3fs-public/congressional_testimony/ts161206_Dalton_Testimony.pdf 39. https://motherboard.vice.com/en_us/article/nze5nk/the-syrian-electronic-armys-most-dangerous-hack 40. http://www.reuters.com/article/us-syria-crisis-cyberspace-analysis/analysis-syria-aided-by-iran-could-strike-back-at-u-s-in- cyberspace-idUSBRE97S04Z20130829 41. https://www.fbi.gov/wanted/cyber/iranian-ddos-attacks 42. https://www.wilsoncenter.org/publication/the-iran-saudi-arabia-conflict-and-its-impact-the-organization-islamic-cooperation 43. http://yaleglobal.yale.edu/content/iran-nuclear-deal-fuels-tension-saudi-arabia-inflaming-new-conflicts

4 © 2017 Anomali, Inc. All rights reserved. sanctions relief and this contributed to economic growth in is accused of only being interested in knowledge transfer 2016. However, the real threat of fresh and revived sanc- from Kazakstan’s scientists and as a source of Uranium48. tions from the Trump administration is likely to hurt Iran’s International suspicion has led Kazakhstan to be demon- renewed optimism and hostility can already be observed. strably cautious in its dealings with Tehran. Iran’s interest Confounded by a mixture of Anti-American sentiment based in Kazakhstan’s scientists could be an area of intellectual on historic regional US interference, Iran is unlikely to stop theft and cyber espionage as part of achieving its nuclear perceiving the US as an adversary in the near future. Conse- ambitions. quently, the US is a worthy adversary to conduct asymmetric activity against. This may manifest in both direct Syria/Iraq and indirect campaigns. It is probably not a coincidence Tehran supports President Bashar al-Assad along with that a country under harsh sanctions against its financial Russia in the Syrian civil war. Continued engagement in sector has historically targeted the financial sector of the this area is highly likely. Iran shares a border with Iraq, so said persecutor (US). This might be repeated, if so then the the outcome of the conflict and the need for a pro-Irani- mirror target for the IRGC would be US Cyber Command or an government is important. Iran is likely to continue to another government/military adversary. he ability for Iran undermine any progress Western-backed, or Saudi-backed to think strategically has been observed too though. It may forces make in the area through proxy-groups, cyber-at- opt for continuing its tradition of using proxy-groups to tacks and conventional military support. provoke and attack larger better equipped forces it doesn’t really want a full-scale war with44. Latin America Iran has reportedly operated an intelligence network in Israel Latin America for decades49. The network is believed to Iran has pursued an aggressive stance towards Israel since be channeled through embassies, mosques and affiliation fall of the Soviet Union, after which it severed diplomatic through Hezbollah. Hezbollah’s presence in the region has relations. This may have been due in part, for the need to been linked to organized crime and as a means for reve- appeal to Arab and Muslim opinion whilst relations were nue50. Iran is also not shy about conducting cyber-attacks redefined in that era. The then President Mahmoud Ah- in Latin America. A recent report showed Iran, working madinejad used very anti-Semitic language45. The creation in conduit with Venezuela, planning an attack against US of the state of Israel, and expansion of settlements, is a systems made to look like it originated from Mexico51. historic wound and reminder of Western interference in the Venezuela and Iran are both coping with oil sanctions, and region. Israel is accused of being behind the Stuxnet virus are working with Syria to construct a new refinery. With alongside the US. Iran is accused of funding and equipping this in mind, it would not be unreasonable to assume Iran Palestinian paramilitary group Hamas with missiles. During will continue to penetrate Latin America for intelligence Operation Protective Edge in 2014, in which 2,100 Pales- purposes, to subvert some of the constraints placed by tinians (mostly civilians)46 were killed by the Israel Defense international sanctions and as a means for proxy attacks. Force (IDF), Iran is attributed to a number of cyber-attacks against Israeli entities47. This relationship is unlikely to South Caucasus and Central Asia change in the near future as Israel is viewed as a justifiable Despite cordial relations with the majority of states in this adversary to attack and undermine through any means. region, Iran has to be very strategic in how it handles its relationships and access to resources. This is because of Kazakhstan the competing influences of China and Russia. Azerbaijan The location of Kazakhstan combined with it being the top has also been very close to Israel, exchanging defence tech- producer of Uranium, makes this country a very import- nology and increased trade. This has given Iran some cause ant ally of Iran. Sanctions impacted economic exchanges for concern. Any opportunity to understand the web of between the two states. Diplomatic relations between the interests in this area is likely to be taken advantage of. This two countries have come under suspicion in the past as Iran might indicate an area of interest for espionage campaigns.

44. http://www.soufangroup.com/tsg-intelbrief-irans-growing-cyber-capabilities/ 45. http://iranprimer.usip.org/resource/iran-and-israel 46. http://www.bbc.com/news/world-middle-east-28439404 47. https://www.files.ethz.ch/isn/183365/No.%20598%20-%20Gabi%20and%20Sami%20for%20web.pdf 48. https://csis-prod.s3.amazonaws.com/s3fs-public/publication/160420_Milani_IranReconnectingEurasia_Web.pdf 49. https://www.thecipherbrief.com/column_article/iran-and-hezbollah-remain-hyperactive-in-latin-america 50. http://iranprimer.usip.org/blog/2015/mar/18/irans-influence-latin-america 51. http://www.heritage.org/middle-east/commentary/iran-conducting-anti-us-operations-latin-america 5 © 2017 Anomali, Inc. All rights reserved.